On Wed, Apr 17, 2024 at 09:52:10AM GMT, Georgia Garcia wrote: > I just wanted to add that in the Ubuntu Noble Numbat release we are > using AppArmor to restrict unprivileged user namespaces.
> Applications that don't have an AppArmor profile will use a default > profile which denies the use of capabilities within the user > namespace. Applications that need to use capabilities will have to > be confined by a profile. Since we understand that creating an > AppArmor profile might not be a trivial task for large programs, we > introduced the "unconfined" flag which makes the profile act as if > it were unconfined from the perspective of AppArmor, allowing all > operations. > There are more details here: > https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-13 I wonder if this (at least the kernel part of it) is already in the latest PopOS rolling updates? I see some nodes in /proc/sys/kernel that look very related. -- Ian
